Who Needs Hackers

Thu Jan 17, 2008 5:45 pm

I just received a strange email purporting to be from the exchange server at work. Thought it was dodgy so forwarded it to the correct person's address for reporting phishing/dodgy emails

IT Systems chap just came back to me and said that our auditors are doing a penetration test of the network and asked whether I had clicked any of the links (I hadn't thank god

)

It seems at last count and this was only released about an hour ago, that one third of our organisation of approx 110 people had clicked on the link. I am the only one to report it from the company so far.

Wonder how they are going to try to educate the muppets in our office

I raised computer security with my boss this morning when we copied the whole of one of our areas on the network over to a USB pen drive and I remember raising the fact that a member of staff who was put on Gardening leave after they gave him the heave-ho (and we're talking deputy finance director here) still had full VPN access even though he wasn't allowed back on site without supervision.

I raised it through IT while out on a works doo, IT locked him out as they said they hadn't been told and said that from their perspective VPN was a privaledge not a right and that under the contractual terms of it they could withhold it from anyone for any reason as per the Company Handbook (which they had put their piece in to make sure of). HR then came back and said he had to have full access back. I actually detest our HR manager as she's such an over paid, over promoted, ill educated fool (I knew I wasn't opinionated at all

)

He has since joined a comepeting firm, which was set up with the ex main Underwriting Director who left and then set up this new company while still under contract. They are at present making indicative proposals to buy out our company

I seriously doubt that employment law is that strong that it makes a company put itself in jeopardy like this. I need to read some of the employment to gen up on it but am I seriously dealing with utter muppets when it comes to what is basiacally sensitive information that defines whether my company continues to run

It makes me seriously want to go over my boss's head and say something to the Chief Exec and Chairman but it would just cause problems and annimosity between myself and her and I'm sure she'd deal with it. People are so stuck in the dark ages when it comes to simple data security measures and I'd imagine the worst offenders are the people with most information.

HMRC's recent little loss highlights the mad flaws in this digital age

Post by **Nellyboy** » Thu Jan 17, 2008 6:19 pm

A good read Myo. Funny too. Even if you took away all the comps from the staff completely you would simply find sheets of sensitive data blowing about in the car park like confetti. People have a right to be stupid, its unfortunately the job of the IT staff to stop the leaking of data into a competitors hands.

Its difficult to say "idiot-proof" at a meeting without death threats arriving within the hour.

Post by **Thane** » Thu Jan 17, 2008 7:00 pm

Might be more then employment law they should be looking into, setting up a competing company while employed depending on what he/she did with certain types of info may be creeping into the realms of fraud at least.

I know why the HR person is saying return the VPN access and yes employment laws might take precidence but not in a case where it wouldn't be required to do his job, removing VPN doesn't prevent anyone from going into work. Only case where VPN might be considered a requirement is a contract home worker.

Fri Jan 18, 2008 7:51 am

The bloke who started up the new company took us to court as we withheld all their profit commision due on the years owed and a load of other back money until we could sort out what was going on with the co he'd set up.

We actually sort of won the day and instead of paying about Â£1.5m we only paid about Â£300k

I just think it rather incredulous that we have complete muppets who do not even know sweet fa about any of HR, she just spends lots of money asking lawyers their opinion and they just give shit information to cover their arses I've found most of the time. They always give options, rather than stating the options then saying which they think is the most productive, Blood sucking bast'ds tbh.

Can you write into an employment contract that upon either party serving notice the employee will be excluded from the work place on whatever full entitlements they are due, with no access to ongoing company information?

I'm more interested for my own future sake rather than the current company as their is too many ego's to give anyone the right information in my current place, but I might be asked in future positions.

Post by **Clingy** » Fri Jan 18, 2008 11:18 am

I am astonished that anyone would read into current HR (dont they call it HCM now?) legislation that you have to continue to give full access to someone who is under notice? I'd love to see someone challenge that. It's routine procedure for anyone in Sales to have all access rights removed the moment they give notice. Rarely does a Salesman have to work notice.

In any event there are many ways to "backdoor" remove the access. How about changing the settings/IP. All genuine users will phone in and ask for new details.....I doubt whether the guy under notice would have the cheek to ask!

Data security issues are totally misunderstood by senior management Myo. I am sure I am not the only one here who struggles daily to get this across to people. For example:- The easiest and quickest way for me to secure against the recent Quicktime flaws was to block all streaming media and all files types associated with video. No one here can now play video off the net or email. Of course it doesnt plug the loophole completely, but it's a good fix. The backlash from staff (most senior) that now cannot play Youtube clips was astonishing. But unless they specifically countermand my actions in writing I aint changing anything. I guess we are luckily in that my boss supports me. We constantly have problems with our trading partners who have much slacker policies and I could go on for ages about some of the "hoops I have had to jump through" recently. But it allows me to sleep at night, and if like me last year you have suffered from a hacking incident, you to tend to be risk averse.

Post by **Trig** » Fri Jan 18, 2008 11:38 am

What u use to bloack that kinda stuff Clingy, I'm getting bored having to uninstall keewii toolbars n the likes..

Post by **Clingy** » Fri Jan 18, 2008 1:23 pm

Hi Trig...we have just has a Watchguard Firewall installed. There are others like Fortigate that will do the same Job. We bought a "UTM bundle" that included Spam & Web blocker (Surf Control plugins), AV and anti intrusion. Cost Â£2500! There are cheaper options depending on the size of your user base.

But it's one of those things where you can study and become a WCE "Watchguard Certified Engineer". In other words bleeding complicated. What it does is very good, but I am not very happy with the reporting side of things. I wanted to know what was going on and who was doing what. In the end none of the 3rd party apps that read Watchguard logs will do what we want so we are building our own SQL Database of the logs.

Had I known what I know now, it would have been better to pass all traffic through a PC acting as a proxy with all the software on. So all web browsing and email traffic goes through a PC with Surf Control on it. That way you get better reports.

To be honest this was way too complicated for us when we started research, but after puting the ffear of god into my boss he agreed to pay for some consultancy to advice us of the best way. This included penetration and password tests etc.

If you do any research by all means run your plans by me. I'm no expert, but have learned a lot recently.

Post by **Trig** » Fri Jan 18, 2008 1:44 pm

Nice cheers bud, will need to do something when we move out to the new buildign later in the year.

Post by **Thane** » Fri Jan 18, 2008 3:27 pm

They can install software? Well you fail in letting them have admin rights then

You can write anything you want into a contract, law always supercedes. If they hand in there notice you can take everything away and send them home, if its garden leave decided by the company then its a different matter.

Fri Jan 18, 2008 5:00 pm

Thane wrote: They can install software? Well you fail in letting them have admin rights then

I have local admin rights on my pc at work as some stupid software I have won't let me work without it

totally mad and made me laugh when they did it.

<div class='quotetop'>QUOTE</div><div class='quotemain'>
You can write anything you want into a contract, law always supercedes. If they hand in there notice you can take everything away and send them home, if its garden leave decided by the company then its a different matter.
</div>
Thats what I'd like to find out, how much of a difference it actually does make. Being in the Co Sec function you sort of have to act as the guardian of all stupid people in the company at times and try not to end up being the stupid one

What made me laugh was the fact that they didn't sack the bloke 3 years earlier, when they brought the Group Finance Director in, demoted (with a fat pay rise) the bloke that left and made him the Finance Director of the Managing agent (Sub company). Personally I'd have cut my ties back then and stopped the rot that set in at a much earlier time. But then they did sack the Company Secretary of the time, which is why my boss and I are here

Think i'm going to have to finish my CoSec studies and then do a bit of an employment law course so I can know whats going on in future.

Post by **Thane** » Fri Jan 18, 2008 7:01 pm

Employment law changes every 5 minutes these days, its a job to keep up. There are some specific websites setup by in the know companies to help with keeping up and working out your questions.

If you wondering why they said put the VPN back I'm betting its because HR think they have to worry about setting themselves up to be liable for a constructive dismissal claim, may sound stupid to you but its probably what they are worried about.

Fri Jan 18, 2008 11:44 pm

No I know what our HR are worried about and that's their own ass's

Remember over promoted, over paid, and ill educated when it comes to anything HR. It was the lawyers talking. The HR manager started out as the office junior running round after the management of the original 15 person company. She's moved up in 6 years to be HR manager with as far as I can tell little HR training.

She in particular doesn't fit the business, 6 years and she still seems to have very little insurance knowledge even though thats what we do.

Post by **Clingy** » Sat Jan 19, 2008 11:30 am

Well at the end of the day you have to make a decision....that's what management is all about....no good sitting on the fence. A possible Ind. Trib action is limited in payout unless they can prove Diability, sex or race discrimination. The potential loss to a company of its confidential records falling into the wrong hand can be devastating (I have seen it happen). If I was an owner of a company I know what I would do and sod the employment law.